CVE-2026-42850— Kovidgoyal kitty 命令注入漏洞

Kitty has a shell command injection

Kitty is a cross-platform GPU based terminal. In versions prior to 0.47.0, it is possible to inject commands within the subshell through kitty error. A special escape code will make kitty return an error, this error is not escaped and will be correctly echoed back to the terminal with CRLF, as such it will be run by the shell in use. To exploit this bug, the victim must use a netcat or a similar program to connect to the attacker, or else listening for someone to connect. Once this condition is set, an attacker could pwn the computer of the victim using a special kitty's escape code that will run a command in the shell in use. Version 04.7.0 fixes the issue.

N/A

在命令中使用的特殊元素转义处理不恰当(命令注入)

Kovidgoyal kitty 命令注入漏洞

Kovidgoyal kitty是Kovidgoyal个人开发者开源的一个基于Python的GPU终端仿真软件。 该软件可提供基本的终端功能,并且基于GPU渲染可降低系统负载,采用OpenGL进行渲染,可支持在Linux、Mac上使用。 kovidgoyal kitty 0.47.0之前版本存在命令注入漏洞，该漏洞源于错误信息未进行转义，可能导致命令注入攻击。

N/A

N/A